Summary

Cryptography is the science of designing algorithms and
protocols that guarantee privacy, authenticity, and integrity of data when
parties are communicating or computing in an insecure environment. The
recent explosion of electronic communication and commerce has expanded the
significance of cryptography far beyond its historical
military role into all of our daily lives. For example,
cryptography provides the technology that allows you to use your credit
card to make on-line purchases without allowing other people on the internet to
learn your credit card number.

The past 25 years have also seen cryptography transformed from an ad hoc
collection of mysterious tricks into a rigorous science based on firm
complexity-theoretic foundations. It is this modern, complexity-theoretic
approach to cryptography that will be the focus of this course.
Specifically, we will see how cryptographic problems can be given precisemathematical definitions. Then we will construct algorithms which provably
satisfy these definitions, under precisely stated and widely believed
assumptions. For example, we will see how to prove statements of the
flavor "Encryption algorithm X hides all information about the message
being transmitted, under the assumption that
factoring integers is computationally infeasible." (Of course, this
kind of statement will be given a precise meaning.)

What can you hope to learn from this course?

Definitions: Why
it is important to precisely define cryptographic problems, and how to do so for several important problems
(encryption, authentication, digital signatures, ...). The kinds of
subtleties that arise in such definitions, and how to critically evaluate
and interpret cryptographic definitions.

Constructions & Proofs
of Security: Examples of general & concrete solutions to
various cryptographic problems, and how to prove that they satisfy the
definitions mentioned above (based on precisely stated assumptions).

Foundations: The
assumptions on which modern cryptography is based, and their implications.

Theory vs. Practice:
This course will focus on theory, but we will discuss how the theory
relates to what is actually done in practice.

Applications: If time
permits, we will see one or two examples of how to address cryptographic
issues in higher-level protocol problems, such as auctions, voting, or
electronic cash.

Security: This is not
a course on security, but if time permits, we will discuss how cryptography
fits into the broader contexts of network and systems security.

What this course will NOT teach you:

Acronyms: There
are many different cryptographic algorithms, protocols, and standards out
there, each their own acronym. It is not the aim of this course to
cover these specific systems, which may come and go, but rather the
general principles on which good cryptography is based.
Understanding these principles will enable you to evaluate the specific
systems you encounter outside this course, on your own. (This is not
to say that the course will be without examples, but the examples will be
selectively chosen mainly for illustrative purposes.)

Hacking: We will
not teach you how to "break" or "hack" systems.

Security: We
will not teach you "how to secure your system".
Cryptography is only one part of security, albeit an important one.

Everything there is to
know about cryptography: Cryptography is a vast subject, and we
will not attempt to be comprehensive here. Instead, we aim to convey
the main principles, philosophy, and techniques which guide the subject,
focusing on the most basic primitives, such as encryption and digital
signatures. This should put you in a good position to read about
other topics on your own or take more advanced courses on cryptography.

Tentative List of Topics

Introduction

Review of Algorithms and
Probability

Private-Key Encryption:
Defining Security

Computational Number Theory

One-Way Functions

Pseudorandom Generators
& Pseudorandom Functions

Private-Key Encryption:
Constructions

Private-Key Encryption in
Practice: Block Ciphers

Trapdoor Functions &
Public-Key Encryption

Message Authentication,
Digital Signatures, and Hashing

Zero-Knowledge Proofs

Protocols

Network & Systems
Security

Policy Issues

Conclusions & what we
didn't cover

Prerequisites

The formal prerequisite for the course is one prior course
in theoretical computer science, such as CSCI E-207 or E-124. (Students
with strong math backgrounds may be able to manage with extra background reading
and/or taking E-124 concurrently; come to my office hours to discuss.)
The main skills that will be assumed from these courses are:

The ability to understand
and write formal mathematical definitions and proofs.

Comfort with reasoning
about algorithms, such as proving their correctness and analyzing their
running times.

It is also important that you are familiar with basic probability . Additional background that will be
helpful:

While it is not necessary to have had exposure to all
of these topics prior to CSCI E-177, familiarity with none will probably make it
quite difficult to keep up.

Grading

Weekly problem sets: 50%

Two midterm quizzes: 10% each

Final exam: 25%

Class participation: 5%

Your class participation grade is based on
participation in sections, but can also be boosted by participation in section,
emailing the course staff,
and/or coming to office hours or section with "good" questions or
comments. A "good" question is one which is not just aimed to help you
answer questions on the problem set or exam. It is one that shows genuine
interest in the material and that you have been thinking about the course
material on your own. Do not be afraid of asking "stupid" questions!
Class participation also includes viewing the online lectures,
participating in sections either in person or online, and
participating in discussions on the course website. We will account for
the different nature of class participation for distance students when
computing their class participation grades.

Problem Sets & Collaboration Policy

The course will
have weekly problem sets, due as posted on each assignment and the course
website. They will be due either in the course box marked CS120 in the basement
of Maxwell Dworkin or electronically by submission to the Assignments
dropbox on the course website. If you prefer to handwrite your assignments,
you may scan them and submit them electronically instead of submitting them
in the course box. Please remember to write your name on the assignment and
indicate it is for CSCI E-177.

Assignments are due on the date specified on the assignment.
It is important that students keep up with the lecture material by
completing the assignments on time; in addition, we cannot return
graded assignments or solutions until all students have handed in their assignments.
Late work will only be accepted in case of exceptional unforeseen
circumstances by prior application to the teaching assistant:
if something comes up that may prevent you from turning your work in on
time, ask for more time immediately, not when you run out of time the day
before the assignment is due.
Project deadlines at work and obligations for other courses are
not exceptional, and you should budget your time accordingly.

Collaboration on homework is permitted with small groups of other
students, provided that you limit your collaboration to verbal discussion of
solutions in general terms and not specific language of the solutions to be
handed in. Because email tends to result in specific, crafted language,
students are expressly forbidden from exchanging email about solutions to
problem sets. You may collaborate via in-person meetings, telephone,
instant messenger, or web conference; please clearly indicate the names of any
collaborators on your assignment.

Sections

There will be weekly sections, which will be used
to clarify difficult points from lecture, review background
material, go over previous homework solutions, and sometimes provide interesting
supplementary material. We will attempt to schedule sections at a time when
distance students can participate over online chat. Section times will be
arranged in the first week or two of class.

Readings

There is no required text for the course other than the lecture notes, but
you may find the following to be useful references (but beware that some of the
notation, conventions, and definitions may differ slightly from lecture):

Jonathan Katz and Yehuda
Lindell. An Introduction to Modern Cryptography. This
is a preliminary version of a textbook in-writing that the authors have
graciously allowed us to use. Its level and contents seem to fit
this course very well, so copies of the relevant chapters will be handed out in
section and available for printing via the course website.
The preliminary state of the book means, however, that some
chapters are not yet written (particularly the ones relevant to the
beginning of the course) and that there may be some errors. In
return for the authors' sharing this book with us, we should compile a
list of errors and constructive suggestions to send the authors at the end
of the term. We will set up a discussion tool on the course website
for this purpose.

Oded Goldreich. Foundations of
Cryptography. This two-volume set is a very comprehensive
and definitive treatment of the theoretical foundations of
cryptography. Volumes I and II cover most of what we'll be doing in
this course far greater depth, though the treatment is more abstract than
ours. Volume I contains most of the still-unwritten material from the
Katz-Lindell text. If you plan to continue on in cryptography
(particularly as a researcher), I highly recommend purchasing these books.

Other texts on cryptography take a much less careful
approach to definitions and proofs of security than we do. Still, they
can serve as good references for more examples of concrete cryptosystems used
in practice and some high-level ideas. After this course, you should
understand how to critically evaluate the merits or deficiencies of the
cryptosystems described in the books below (and indeed we urge you to have a
critical eye when reading them):